Various networking strategies are used in modern computer networks to enable intra-organizational communication while attempting to accommodate security concerns about preventing unauthorized access to information. Such communications range from unencrypted E-mails to encrypted secure documents that should be accessible to only a subset of users having the privilege to use the intra-organizational network. The extent of such a network could be global in geographical terms and may include local high-speed connections along with, possibly, slow linkages to far-flung nodes.
It is desirable in course of implementing networks to maximize authorized access without generating excessive network traffic due to the associated overhead. This overhead typically includes, among other things, maintaining a record of users authorized to access a particular network accessible resource and frequently updating such records. In a simple case, each resource maintains its own list of authorized users, and upon receiving a request for service checks the list to prevent security breaches due to access by unauthorized users.
Users of a network are often organized into groups. The use of groups reduces the number of list entries that have to be checked by a resource (and updated by the system) prior to granting access to a requestor because many users may belong to a group, and thus proof of a user's membership in an approved group could suffice. Such proof may be provided by presenting an “access token” that lists all of the security groups to which a particular user belongs. Additionally, administrators have to manage only one account for each user, and each user typically needs to use (and remember the password of) only one account to access resources in a domain. Thus, an effective grouping strategy should reflect the security structure of the network and the organizational dynamics of the group members.
An illustrative example of such existing networking strategies is provided by the “Windows NT 4.0” software provided by “Microsoft®,” which is described next in some detail in order to provide a suitable background for the enhancements introduced in this application. In keeping with the preceding description, the “Windows NT 4.0” software envisages a logical grouping of network servers and other computers that share common security and user account information as a “domain.” Within domains, administrators usually create one user account for each user. Users then log on to the domain rather than repeatedly logging on to various individual servers in the domain. A domain is simply an administrative unit of Windows NT Server Directory Services corresponding to a security boundary. Thus, computers in a single domain can share physical proximity on a small local area network (LAN) or can be located in different parts of the world and communicate over various types of physical connections, including dial-up lines, ISDN, fiber, Ethernet, Token Ring, frame relay, satellite, and leased lines etc.
Within a domain, “domain controllers” manage all aspects of user-domain interactions. Domain controllers are computers running “Windows NT®” Server that share one directory database to store security and user account information for the entire domain. The domain controllers in each domain form a single administrative unit and use the information in the directory database to authenticate users logging on to domain accounts. Each domain has one primary domain controller (PDC), which tracks changes made to domain accounts. Whenever an administrator makes a change to a domain account, the change is recorded in the directory database on the PDC, which is the only domain server that receives these changes directly.
In addition, multiple backup domain controllers (BDCs) can exist in a domain. A BDC maintains a copy of the directory database. This copy is synchronized periodically and automatically with the PDC. BDCs also authenticate user logons, and a BDC can be promoted to function as the PDC.
An individual may use domain resources such as files, directories, and printers if he or she has a user account created by an administrator, who assigns a user name to an account, specifies the user's identification data, and defines the user's rights on the system. Resources in the domain are available subject to user rights, privileges and system-wide policies. Advantageously, there are predefined (built-in) groups with sets of user rights already assigned. Administrators, then, can assign user rights by adding a user account to one of the predefined groups or by creating a new group and assigning specific user rights to that group. Users who are subsequently added to a group automatically gain all user rights assigned to the group account. Although, individual users can be given specific user rights, most administrators prefer to control actions on a group basis rather than on an individual user basis.
In contrast to “rights,” which are domain wide and defined in relation to the domain controller, “permissions” are rules that regulate which users can use objects (such as directories, files, and printers) and in what manner. The owner of an object sets the permissions on the object. Similar to user rights, a permission on an object applies to each member of a group if the group is granted the permission on the object. Under some circumstances a user may have a right but not the permission necessary to exercise the right. Often the right trumps the conflicting permission in such a situation.
Although small organizations can store accounts and resources in a single domain, large organizations typically establish multiple domains. Multiple domains with appropriate group definitions can advantageously allow an organization to manage far flung operations with reduced administrative overhead in course of doing business. A natural concern from a business and privacy perspective is security in the context of large networks. Often, security across multiple domains is provided through trust relationships. A trust relationship is a link that allows users authenticated in one domain to access resources in another domain, subject to access control.
Two types of trust relationships are encountered in most networks. In a one-way trust relationship, one domain trusts the users in the other domain to use its resources. More specifically, one domain trusts the domain controllers in the other domain to validate user accounts to use its resources. The resources that become available are in the trusting domain, and the accounts that can use them are in the trusted domain. However, if user accounts located in the trusting domain need to use resources located in the trusted domain, that situation requires a two-way trust relationship.
A two-way trust relationship is two one-way trust relationships in that each domain trusts user accounts in the other domain. Users can log on from computers in either domain to the domain that contains their account. Each domain can have both accounts and resources. Global user accounts and global groups can be used from either domain to grant rights and permissions to resources in either domain. In other words, both domains are trusted domains.
Two types of group accounts are supported in “Microsoft®” “Windows NT 4.0” software. A “global group” consists of several user accounts from only a single domain—the domain where the global group was created, that are grouped together under one group account name. “Global” indicates that the group can be granted rights and permissions to use resources in multiple (global) domains. A global group can contain only user accounts and can be created only on a domain controller and not on a workstation or member server.
In contrast, a “local group” consists of user accounts and global groups from one or more domains, grouped together under one account name. Users and global groups from outside a particular domain can be added to the local group only if they belong to a trusted domain. “Local” indicates that the group can be granted rights and permissions to use resources in only a single (local) domain. A local group can contain users and global groups, but it cannot contain other local groups. It is useful to note that global groups are an efficient way to add users to a local group. Although a global group can be granted permissions and rights in its own domain, it is best to grant rights and permissions to local groups and use global groups to add user accounts from account domains (trusted) to resource domains (trusting). Usually “Windows NT” domain controllers also support built-in local groups having rights corresponding to the built-in group names such as Administrators, Account Operators, Server Operators, Backup Operators, Print Operators, Users, Guests, and Replicators.
Member servers can participate in a domain, although participation is not required. Permissions can be set on the server's resources that allow users to connect to the server and use resources. It should be noted that a member server that does not participate in a domain has only its own database of users, and it processes logon requests by itself. It does not share account information with any other computer and cannot provide access to domain accounts. Only user accounts created at the server can be logged on to or given rights and permissions for using the server's resources.